As early as 2017, security and compliance professionals from many major Tripwire corporate and government customers were talking about migration to the cloud as an opportunity to be considered and carefully investigated in the coming years.
The tone changed within a year. What used to be "we think about it" became "the CIO wants to see the migration start this year!" By 2018, many customers were completely immersed in an aggressive campaign to renew their IT environments.
The business benefits of switching to cloud infrastructure, platforms and software are well known. Often less understood, at least by many senior leaders who make large-scale investment decisions, are the nuances of security and compliance of such a shift. To effectively manage risks in new, usually hybrid environments, organizations will face challenges and opportunities.
Cloud-hosted IT does not necessarily mean less secure. There are many security enhancements offered by hosting services that might otherwise not be effectively implemented in a company whose core competencies do not include IT.
Infrastructure-as-a-Service, for example, often comes with built-in patch management, secure configurations (or at least securely configurable settings), system redundancies, data backups and incident response, so that security is not always compromised; it can even be improved in some respects. But IT hosted by the cloud is doing average safety different.
A large part of the difference comes from the extensive coverage that is needed. There are generally three areas to consider:
- Security of hosted by the cloud resources. Simply put, this is an extension of what was always required on-premon: security checks on virtual servers, databases, workstations, etc., that process data and do the work. Although the host may be different (physical to virtual, on-prem to hosted), the security statistics, measures, and tools remain the same. (Read a white paper on this subject)
- Security of the cloud bills. This is the customer-focused cloud environment itself that now needs to be configured and secured securely. Loosely analogous to physical perimeter security of an on-prem data center, the security of these accounts must be maintained to prevent unauthorized access and modification of important settings. (Read a white paper about security AWS configurations)
- For-the-cloud security content. Because the infrastructure and platform layers have shifted to hosted environments, the development of application content is undergoing its own revolution in DevOps. Instead of large software bundles that are occasionally patched and updated, the process is now as continuous as often as possible. Protecting these content vulnerabilities, configurations, etc. is vital. (Read an eBook about container safety)
Security teams and compliance teams must now implement, monitor and integrate security measures in these three areas and beyond.
Another important difference is that responsibilities are shared between service providers and customers. Since it is the data and systems of the customer that must be protected, the customer ultimately remains responsible (read: liable) for a compromise. Often the careful consideration of what the service provider justifies is less than the customer may assume at the start.
A clear understanding of what the security team needs to manage itself is crucial for effective cloud protection.
Most importantly, the need for fundamental security controls does not change because the IT environment is organized differently and responsibilities are shared. Fundamental security principles, it turns out, apply both in the cloud and on-prem.
The CIS controls remain an effective way to prioritize security for every organization. Now the CIS controls are equipped with a CIS Controls Cloud Companion Guide that provides guidelines for implementing best practices for security in cloud environments. Taking into account the unique characteristics of virtualized systems in hosted environments, the guide shows how each CIS control and sub-control can and should be implemented.
Perhaps the most obvious feature of the Cloud Companion Guide is that the security controls themselves remain intact. Although there are many new considerations how they are implemented and Who is responsible for each sub-scheme, the CIS controls are just as relevant to this new environment as they were when they were first developed for special, on-premise, self-managed data centers.
The organization still needs to know what is connected to / in its environment (CIS control # 1, hardware inventory inventory); what is running on those assets (CIS Control # 2, software inventory); where vulnerabilities are and how they should be addressed (CIS control # 3, vulnerability scan); how to securely configure assets (CIS control # 5, secure configuration management) and so on.
For example about secure configuration management (CIS Control # 5), the guide says: "Even if a strong initial configuration is developed and implemented in the cloud, it must be constantly managed to prevent configuration drift when the software is updated or patched, new security vulnerabilities are reported and the configurations are & # 39 Allow adapted & # 39; to install new software or support new operational requirements. "The customer must ensure that the service provider maintains this standard, or that they must do it themselves.
It appears that, despite rapid and radical technological changes, the principles for securing IT resources and data remain very consistent. The challenge is not to reinvent the security strategy, but to re-enter the methods and processes that effectively implement them.
Cloud migration offers many benefits. A security-focused organization can maintain its secure position by understanding the opportunities and challenges associated with new environments, taking responsibility for its part in the shared responsibility model and, as always, staying consistent with the implementation of proven best practices such as CIS controls.